How to generate a CSR code on Exchange 2013 Shell

  CSR generation instructions

There is a possibility to generate the Certificate Signing Request (CSR) using 2 options in Exchange 2013:

1. Exchange Admin Center (EAC)

2. Shell

Here, you will see how to generate the CSR in Shell.

Open the Exchange Management Shell and run the following command:

New-ExchangeCertificate -GenerateRequest -RequestFile “path_to_csr.txt” -FriendlyName “friendly_name” -SubjectName “c=Country,s=State,l=Locality,o=Organization,ou=Organizational_Unit,cn=Common_Name” -DomainName additional.domain.com -PrivateKeyExportable $true

Here is a short description of the commands:

  • RequestFile: place on the server where the CSR will be generated. In the example, it is saved to the disc C://, folder certs.
  • FriendlyName: you can use this option to identify the correct CSR later.
  • SubjectName: fields that are checked by the Certificate Authority.
  • Country: two-digit code of the country your domain is operating/registered in. You can check the ISO 3166-2 code for your country here or here.
  • State: full name of the state/province/region inside the country. If there are no states or regions in your country, you can use the city name in this field.
  • Locality: full name of the city.
  • Organization: full registered name of your organization. You can enter NA here if you do not have a company, as Certificate Authorities do not verify the company for domain-validated (DV) certificates. Usually, it is enough to use the domain-validated certificate to secure Exchange services.
  • Organizational Unit: name of the department inside the company. If there is no department in your company, you may enter NA.
  • Common Name: domain name you need to secure. This will become the primary domain of your multi-domain certificate.
  • Domain Name: any additional domain(s) which will take one of the slots in your certifiacate.
  • PrivateKeyExportable $true: this part of the command means that you allow to export the private key from the server. It should be used if you are going to export the certificate later and install it on the other server. Using $false here or excluding this part from the command will not allow the private key to be exported and will cause issues with using the certificate on other servers.

Note: Use only alphanumeric letters and digits and avoid using any special characters like “/”, “&”, “å”, etc.

After the certificate is issued by the Certificate Authority, you can use this guide for installation.